Re: [OAUTH-WG] State Leakage Attack
"torsten@lodderstedt.net" <torsten@lodderstedt.net> Fri, 22 April 2016 17:07 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9203B12D934 for <oauth@ietfa.amsl.com>; Fri, 22 Apr 2016 10:07:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IYogqM4Dxh4f for <oauth@ietfa.amsl.com>; Fri, 22 Apr 2016 10:07:56 -0700 (PDT)
Received: from smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [80.67.31.39]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6603812D751 for <oauth@ietf.org>; Fri, 22 Apr 2016 10:07:54 -0700 (PDT)
Received: from [87.140.195.4] (helo=[172.17.2.4]) by smtprelay01.ispgateway.de with esmtpsa (TLSv1.2:DHE-RSA-AES128-GCM-SHA256:128) (Exim 4.84) (envelope-from <torsten@lodderstedt.net>) id 1ateYa-0007XD-H4; Fri, 22 Apr 2016 19:07:52 +0200
Date: Fri, 22 Apr 2016 19:07:48 +0200
Message-ID: <4ea52uuwo0qag9ijskcke5mh.1461344868116@com.syntomo.email>
In-Reply-To: <571A3860.90609@uni-trier.de>
References: <571A3339.706@uni-trier.de> <8E6CA392-96B3-4DBE-8167-9FDD972A31A8@adobe.com> <571A36AE.5020105@uni-trier.de> <DEC7CA6F-5C6B-406F-97B8-0675D1A7D24F@adobe.com> <571A3860.90609@uni-trier.de>
From: "torsten@lodderstedt.net" <torsten@lodderstedt.net>
To: fett@uni-trier.de, asanso@adobe.com
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="--_com.syntomo.email_6395466660820414"
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/MEZuOkS600c85UK8KqwdIkFJYEM>
Cc: gschmitz@informatik.uni-trier.de, oauth@ietf.org, kuesters@uni-trier.de
Subject: Re: [OAUTH-WG] State Leakage Attack
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Apr 2016 17:07:57 -0000
Hi Daniel, how is the attackers supposed to utilise the leaked state value? I would assume the legit client binds it to a certain user agent, e.g. via the session context, which is not available to the attacker. best regards, Torsten. -------- Originalnachricht -------- Betreff: Re: [OAUTH-WG] State Leakage Attack Von: Daniel Fett <fett@uni-trier.de> An: Antonio Sanso <asanso@adobe.com> Cc: Guido Schmitz <gschmitz@informatik.uni-trier.de>,oauth@ietf.org,Ralf Kuesters <kuesters@uni-trier.de> >Am 22.04.2016 um 16:39 schrieb Antonio Sanso: >> hi Daniel >> >> On Apr 22, 2016, at 4:35 PM, Daniel Fett <fett@uni-trier.de >> <mailto:fett@uni-trier.de>> wrote: >> >>> Hi Antonio, >>> >>> Am 22.04.2016 um 16:30 schrieb Antonio Sanso: >>>>> Hi all, >>>>> >>>>> During our formal analysis of OAuth we found an attack that allows >>>>> CSRF. It is similar to the "code" leak described by Homakov in [1] and >>>>> therefore not really surprising. In this attack, the intention for an >>>>> attacker is to steal the "state" value instead of the "code" value. >>>>> >>>>> Setting: >>>>> >>>>> In the auth code grant, after authentication to the AS, the user is >>>>> redirected to some page on the Client. If this page leaks the >>>>> referrer, i.e., there is a link to the attacker's website or some >>>>> resource is loaded from the attacker, then the attacker can see not >>>>> only code but also state in the Referer header of the request. >>>>> >>>>> The fact that code can leak was described in [1]. Since code is >>>>> single-use, it might be already redeemed in most cases when it is sent >>>>> to the attacker. >>>> >>>> probably is not redeemed instead, just because the redirect_uri is >>>> not the correct one. >>>> The mitigation that good implemented AS use (also Github) is to >>>> follow section 4.1.3 the OAuth core specification [RFC6749], in >>>> particular: >>>> >>>> "ensure that the "redirect_uri" parameter is present if the >>>> "redirect_uri" parameter was included in the initial authorization >>>> request as described in Section 4.1.1, and if included ensure that >>>> their values are identical." >>> >>> The attack is not based on a manipulation of the redirect_uri. Instead, >>> a correct redirect_uri is used, but the page loaded from the >>> redirect_uri contains links or external resources (intentionally or not). >> >> right. so is not really [1] :) since there there is manipulation using >> /../../ > >Of course. > >> Now the real question why a legit redirect_uri should contain links to >> malicious external resources? > >Well, why not? :) > >Anyway, developers should be made aware that having external >resources/links on these pages is a bad idea. > >- Daniel > >-- >Informationssicherheit und Kryptografie >Universität Trier - Tel. 0651 201 2847 - H436 > >_______________________________________________ >OAuth mailing list >OAuth@ietf.org >https://www.ietf.org/mailman/listinfo/oauth >
- Re: [OAUTH-WG] State Leakage Attack John Bradley
- [OAUTH-WG] State Leakage Attack Daniel Fett
- Re: [OAUTH-WG] State Leakage Attack Antonio Sanso
- Re: [OAUTH-WG] State Leakage Attack Daniel Fett
- Re: [OAUTH-WG] State Leakage Attack Antonio Sanso
- Re: [OAUTH-WG] State Leakage Attack Daniel Fett
- Re: [OAUTH-WG] State Leakage Attack Daniel Fett
- Re: [OAUTH-WG] State Leakage Attack Antonio Sanso
- Re: [OAUTH-WG] State Leakage Attack torsten@lodderstedt.net
- Re: [OAUTH-WG] State Leakage Attack Guido Schmitz
- Re: [OAUTH-WG] State Leakage Attack Torsten Lodderstedt
- Re: [OAUTH-WG] State Leakage Attack Thomas Broyer
- Re: [OAUTH-WG] State Leakage Attack André DeMarre
- Re: [OAUTH-WG] State Leakage Attack Thomas Broyer
- Re: [OAUTH-WG] State Leakage Attack André DeMarre
- Re: [OAUTH-WG] State Leakage Attack Torsten Lodderstedt
- Re: [OAUTH-WG] State Leakage Attack Thomas Broyer
- Re: [OAUTH-WG] State Leakage Attack torsten@lodderstedt.net
- Re: [OAUTH-WG] State Leakage Attack John Bradley
- Re: [OAUTH-WG] State Leakage Attack Daniel Fett
- Re: [OAUTH-WG] State Leakage Attack Antonio Sanso
- Re: [OAUTH-WG] State Leakage Attack Daniel Fett
- Re: [OAUTH-WG] State Leakage Attack John Bradley
- Re: [OAUTH-WG] State Leakage Attack John Bradley
- Re: [OAUTH-WG] State Leakage Attack Torsten Lodderstedt